Do not consider transports for restricted mode (e91d98e3) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/net/NetworkPolicyManagerService.java

+1 −80

Original line number	Diff line number	Diff line
		@@ -67,9 +67,6 @@ import static android.net.INetd.FIREWALL_RULE_ALLOW;
		import static android.net.INetd.FIREWALL_RULE_DENY;
		import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_METERED;
		import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_ROAMING;
		import static android.net.NetworkCapabilities.TRANSPORT_CELLULAR;
		import static android.net.NetworkCapabilities.TRANSPORT_VPN;
		import static android.net.NetworkCapabilities.TRANSPORT_WIFI;
		import static android.net.NetworkPolicy.LIMIT_DISABLED;
		import static android.net.NetworkPolicy.SNOOZE_NEVER;
		import static android.net.NetworkPolicy.WARNING_DISABLED;
		@@ -653,9 +650,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
		/** Map from network ID to the last ifaces on it */
		@GuardedBy("mNetworkPoliciesSecondLock")
		private SparseSetArray<String> mNetworkToIfaces = new SparseSetArray<>();
		/** Map from network ID to last observed transports state */
		@GuardedBy("mNetworkPoliciesSecondLock")
		private final SparseArray<int[]> mNetworkTransports = new SparseArray<>();

		/** Map from netId to subId as of last update */
		@GuardedBy("mNetworkPoliciesSecondLock")
		@@ -1106,14 +1100,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
		ACTION_CARRIER_CONFIG_CHANGED);
		mContext.registerReceiver(mCarrierConfigReceiver, carrierConfigFilter, null, mHandler);

		for (UserInfo userInfo : mUserManager.getAliveUsers()) {
		mConnManager.registerDefaultNetworkCallbackForUid(
		UserHandle.getUid(userInfo.id, Process.myUid()),
		mDefaultNetworkCallback,
		mUidEventHandler
		);
		}

		// listen for meteredness changes
		mConnManager.registerNetworkCallback(
		new NetworkRequest.Builder().build(), mNetworkCallback);
		@@ -1304,11 +1290,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
		ConnectivitySettingsManager.getUidsAllowedOnRestrictedNetworks(
		mContext);
		if (action == ACTION_USER_ADDED) {
		mConnManager.registerDefaultNetworkCallbackForUid(
		UserHandle.getUid(userId, Process.myUid()),
		mDefaultNetworkCallback,
		mUidEventHandler
		);
		// Add apps that are allowed by default.
		addDefaultRestrictBackgroundAllowlistUidsUL(userId);
		try {
		@@ -1433,35 +1414,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
		return changed;
		}

		private static boolean updateTransportChange(SparseArray<int[]> lastValues, int[] newValue,
		Network network) {
		final int[] lastValue = lastValues.get(network.getNetId(), new int[]{});
		final boolean changed = (!Arrays.equals(lastValue, newValue))
		\|\| lastValues.indexOfKey(network.getNetId()) < 0;
		if (changed) {
		lastValues.put(network.getNetId(), newValue);
		}
		return changed;
		}

		private final NetworkCallback mDefaultNetworkCallback = new NetworkCallback() {
		@Override
		public void onAvailable(@NonNull Network network) {
		updateRestrictedModeAllowlistUL();
		}

		@Override
		public void onCapabilitiesChanged(@NonNull Network network,
		@NonNull NetworkCapabilities networkCapabilities) {
		final int[] newTransports = networkCapabilities.getTransportTypes();
		final boolean transportsChanged = updateTransportChange(
		mNetworkTransports, newTransports, network);
		if (transportsChanged) {
		updateRestrictedModeAllowlistUL();
		}
		}
		};

		private final NetworkCallback mNetworkCallback = new NetworkCallback() {
		@Override
		public void onCapabilitiesChanged(@NonNull Network network,
		@@ -4523,44 +4475,13 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
		// TODO: this needs to be kept in sync with
		// PermissionMonitor#hasRestrictedNetworkPermission
		// Check for restricted-networking-mode status
		final boolean isUidAllowedOnRestrictedNetworks =
		ConnectivitySettingsManager.getUidsAllowedOnRestrictedNetworks(mContext)
		return ConnectivitySettingsManager.getUidsAllowedOnRestrictedNetworks(mContext)
		.contains(uid)
		\|\| mIPm.checkUidPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, uid)
		== PERMISSION_GRANTED
		\|\| mIPm.checkUidPermission(NETWORK_STACK, uid) == PERMISSION_GRANTED
		\|\| mIPm.checkUidPermission(PERMISSION_MAINLINE_NETWORK_STACK, uid)
		== PERMISSION_GRANTED;

		// Check for other policies (data-restrictions)
		final long token = Binder.clearCallingIdentity();
		NetworkCapabilities nc;
		try {
		nc = mConnManager.getNetworkCapabilities(mConnManager.getActiveNetwork());
		} finally {
		Binder.restoreCallingIdentity(token);
		}
		boolean isUidRestrictedByPolicy = false;
		if (isUidAllowedOnRestrictedNetworks && nc != null) {
		int policy = getUidPolicy(uid);
		final boolean isUidAllowedOnVpn = nc.hasTransport(TRANSPORT_VPN)
		&& ((policy & POLICY_REJECT_VPN) == 0);
		if (!isUidAllowedOnVpn) {
		final boolean isUidRestrictedOnCell = nc.hasTransport(TRANSPORT_CELLULAR)
		&& ((policy & POLICY_REJECT_CELLULAR) != 0);
		final boolean isUidRestrictedOnVpn = nc.hasTransport(TRANSPORT_VPN)
		&& ((policy & POLICY_REJECT_VPN) != 0);
		final boolean isUidRestrictedOnWifi = nc.hasTransport(TRANSPORT_WIFI)
		&& ((policy & POLICY_REJECT_WIFI) != 0);
		if (isUidRestrictedOnVpn \|\| isUidRestrictedOnCell \|\| isUidRestrictedOnWifi) {
		isUidRestrictedByPolicy = true;
		}
		}
		}
		// If app is restricted (aka not on the allowlist), it's not allowed to use the internet
		// If it is on the allowlist, then we also check its networking is not blocked
		// (aka active network is not null) and then other policies
		return isUidAllowedOnRestrictedNetworks && !isUidRestrictedByPolicy;
		} catch (RemoteException e) {
		return false;
		}